Re: kernel NFSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

René Rebe wrote:
> 
> Hi all.
> 
> After I haven't used the kenel NFS server for a long time (needed to unmount devices
> (ZIP, CDROM, ...) during exports - wich was/is not possible with the kernel NFS
> server) I gave it a new try. (Need the extra performance and 64bit file-sizes)
> 
> I use the 2.4.9 and 2.4.10 kernel and the 0.2.1 nfs-utils (glibc-2.1.3) to export
> a 80 GB ReiserFS on a RAID array under RockLinux.
> 
> NFS often mangles sym-link names to random garbage.
> 

It has nothing to do with reiserFS (this time:)


Betrifft:        [PATCH] NFSv3 symlink bug
   Datum:        02 Oct 2001 18:58:53 +0200
     Von:        Andreas Schwab <schwab@suse.de>
      An:        linux-kernel@vger.kernel.org

The NFSv3 server in the 2.4.10 kernel has a bug in the symlink
implementation.  The target pathname of the symlink is not necessarily
zero terminated when passed to vfs_symlink.  This does not happen with
NFSv2, because it explicitly zero terminates the string when decoding it
from XDR (xdr_decode_string does this), but NFSv3 uses
xdr_decode_string_inplace.  As a result you may get a spurious
ENAMETOOLONG when trying to create a symbolic link on a NFSv3 mounted
filesystem (if the length of the target path is a multiple of four).  If
you don't get an error the created symlink will have random characters
appended, which exposes kernel memory to user space (that's why it's a
security problem).

This patch changes the NFSv3 xdr function to use xdr_decode_string for the
symlink target, which seems to be the easiest solution.  I also considered
adding an additional parameter to vfs_symlink to pass the length, but that
requires changes in each and every filesystem and changes the VFS API.
That could be a task for 2.5.x.

--- linux/fs/nfsd/nfs3xdr.c.~1~ Fri Sep 21 06:02:01 2001
+++ linux/fs/nfsd/nfs3xdr.c     Tue Oct  2 16:12:27 2001
@@ -99,7 +99,11 @@
        char            *name;
        int             i;
 
-       if ((p = xdr_decode_string_inplace(p, namp, lenp, NFS3_MAXPATHLEN)) != NULL) {
+       /*
+        * Cannot use xdr_decode_string_inplace here, the name must be
+        * zero terminated for vfs_symlink.
+        */
+       if ((p = xdr_decode_string(p, namp, lenp, NFS3_MAXPATHLEN)) != NULL) {
                for (i = 0, name = *namp; i < *lenp; i++, name++) {
                        if (*name == '\0')
                                return NULL;

Andreas.
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux